GRC is Dead

I have to admit, I don’t really understand greedy desperation. Or desperate greed. For example, although I enjoy having a decent income, I don’t obsess about the big score. Someday I’d like a moderate score for a little extra financial security, but I’m not about to compromise my lifestyle or values to get it. As a business I know who my customers are and I make every effort to provide them with as much value as possible.

That’s why I don’t grok this whole GRC obsession (Governance, Risk, and Compliance) among certain sectors in the vendor community. It reeks of unnecessary desperation like the happily married drunk at the bar seething at all the fun of the singles partying around him. He’s got it good, but that’s not enough.

One of the first things I covered over at Gartner was risk management, and I even started the internal risk research community. This was before SOX, and once that hit a few of us started adding in compliance coverage. Early on I started covering the predecessors to today’s GRC tools, and was even quoted in Fortune magazine saying there was almost no market for this stuff (some were predicting it would be billions). That, needless to say, pissed off a few vendors. Most of which are out of business or on life support.

Now I’m about to rant on GRC, but please don’t mistake this as criticism of governance, risk management, or compliance. All are important, and tightly related, but they are tools to achieve our business goals, not goals in and of themselves.

GRC however is a beast unto itself. GRC is now code for “selling stuff to the C-level”. It has little to do with real governance, risk, and compliance; and everything to do with selling under-performing products at inflated prices. When a vendor says “GRC” they are saying, “here’s our product to finally get us into the Board Room and the CEO’s office”. The problem is, there isn’t a market for GRC. Let’s look at the potential buyers:

C-Level Executives (the CEO and CFO)

Auditors (internal)

Auditors (external)

Business unit managers (including the CSO/security).

Before going any further let’s just knock off external auditors, since they aren’t about to spend on anything except their own internal tools, which GRC doesn’t target.

Now let’s talk about what GRC tools do. There is no consistent definition, but current tools evolved from the SOX compliance reporting tools that appeared when Sarbanes-Oxley hit. These tools evolved from a few places, but primarily a mix of risk documentation and document management. They then sprinkled in controls libraries licensed from the Final Four accounting firms. I was never enamored by these tools, since they did little more than help you document processes. That’s fine if you charge reasonable prices, but many of these things were overinflated, detached from operational realities unless you dedicated staff to them, and often just repurposed products which failed at their primary goal. Most of the tools now are focused on providing executives with a “dashboard” of risk and compliance. They can document controls, sometimes take live feeds from other applications, “soft-test” controls (e.g., send an email to someone to confirm they are doing what the tool thinks) and generate reports. Much of what we call GRC should really be features of your ERP and accounting software.

In the security world, most of what we call GRC tools are dashboard and reporting tools that survey or plug into the rest of our security architecture. Conceptually, this is fine, except we see the tools drifting away from being functional for those with operational responsibilities, and focusing more on genercising content for the “business” audience and auditors. It’s an additional, very highly priced, reporting layer.

That’s why I think this category is not only dead, it was never born. There is no one in an enterprise that will use a GRC tool on a day to day basis . The executives want their reports at the end of the quarter, and probably don’t mind a dashboard to glance at, but they’ll never drill down into all the minutiae of controls that probably aren’t what’s really being used in the first place. It’s not what they’re paid for. Internal auditors might also use reports and status checks, but they can almost always get this information from other sources. A GRC tool provides almost no value at the business unit level, since it doesn’t help them get their day to day jobs done.

The pretty dashboards and reports might be worth a certain investment, but not the six-figure plus fees most of them run for. No one really needs a GRC tool, since the tools don’t really perform productive work.

We’re seeing an onslaught of security (and other) vendors jumping on GRC because they think it will get them access to the CEO/CFO and bigger deals. But the CEO and CFO don’t give a rat’s ass how we do security, the just need to know if they are secure enough. That’s what they hire the CSO for- and it’s the CSO’s job to provide the right reports. These vendors would be better served by making great products and building in good reporting and management features to make the jobs of the security team easier.

Focus on helping security teams do their jobs and getting the auditors off their backs, rather than selling to a new audience that doesn’t care. Stop trying to sell to an audience (the CEO) that doesn’t care about you, when you have plenty of prospects out there drooling over those rare, good, functional products. Plenty of products get a boost from compliance, but they aren’t dedicated to it.

Don’t believe me? Go look at what people are really buying. Go ask your own CEO if he wants the latest GRC tool and will pay for it. Ask him if he wants to talk to any more vendors. Ask the operational guys if it will help them get their jobs done.

GRC is a feature, not a product. It’s a reporting tool, not a new paradigm for doing business.

As for the “practice” of GRC? I wouldn’t bet my career on a buzzword created by a small group of vendors to sell more product and jump on the bandwagon of yet another buzzword (compliance).

Compliance is real. Risk management is real. Governance and security are real. GRC is an unrequited wet dream leaving a rash of vendor blueballs in its wake.

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Allen Baranov on 05/13 at 09:00 PM

Its amazing how companies have "what we tell the auditors to be compliant" and "what we also do but don’‘t want to tell the auditors because it would just generate red tape but what /really/ keeps us secure".

On the other hand - it is nice to have something like GRC which can be used to get more money for security.

By rybolov on 05/14 at 03:13 AM

Wow, rmogull is channelling Steinnon for the past couple of weeks: Data classification is dead, GRC is dead, risk management is dead, being dead is dead, and death protection is dead.

Brain… hurts… must… write… own… post.

By Let’s Face it on 05/14 at 04:12 AM

[...] interesting, especially if you’‘re a government employee. Thanks for visiting and happy hacking!Rmogull of Securosis and Gunnar Peterson claim that GRC is dead. In my typical global-brained style, I want to cut to [...]

By GRC on 05/14 at 09:42 AM

[...] on the heals of my GRC is Dead post, an associate sent me a private rant on a past experience where the investors drove his company [...]

By alan shimel on 05/14 at 03:14 PM

Rich, I think you are mistaking the tip of the iceberg for the entire mountain of ice under the water. The dashboards and reports of GRC are the by-product, but not the actual work of the most GRC products. They are the checkbox, but the actual work of making sure you are compliant is what the work of GRC is about.
I have written more about this on my blog at http://www.stillsecureafteralltheseyears.com/ashimmy/2008/05/rich-mogull-doe.html

By Shimel Wants To Sell You A Dead Parrot. On An Iceb on 05/15 at 03:38 AM

[...] In Alan’s latest post he seems to think I’m a bit naive and off base in my criticism of GRC. [...]

By GRC - Why It’s of LIMITED Interest to Me &la on 06/10 at 10:45 AM

[...] to Me I wanted to post a “rah rah” message to Rich Mogul when he posted that GRC platforms Are Dead. He was so spot on in my humble opinion that he made me smile for a week or so. I may be a bolshy [...]

By Audit Trail Blog Archive » The GRC Dogpile on 06/12 at 03:56 PM

[...] seems like everyone is piling onto GRC these days. First Rich Mogull declares GRC is dead. Trent Henry blogged about how a key theme in upcoming Burton Group research will be debunking GRC [...]

By Lurker on 06/23 at 02:55 AM

Isn’‘t "paradigm shift" just another word for "fad"?

By rmogull on 06/23 at 03:50 AM

@Lurker…

I had this whole big argument planned to respond to that once i got back to the office, but you beat me to it with on short sentence.

Well done.

Carole,

I’‘m intimately familiar with GRC. It’s not even close to a paradigm shift. It’s a business fad that will fade like many others. The core principles of good governance, risk management, and compliance are all solid, but tossing them together under a new acronym and calling it a paradigm shift is ridiculous.

But it might make some consultants and similar organizations a lot of money…

By Dan Wilder on 07/30 at 01:37 AM

Wow, it sure seems like many people have varying thoughts on this topic. I’‘d like to interject some reality here.

The ISO, ITIL & ISACA organizations have all developed frameworks and guidance on the general topic known as GRC. Now I am not advocating for the GRC term or what vendors have mistaken it to mean.

The point is that organizations need to install controls to manage their business. This is a requirement of SOX eDiscovery, Basel II as well as other regulations. These controls cannot be successful without some level of understanding the operational functions of the organization they are installed.

I believe that the term GRC is misunderstood to mean a software solution. It is not. It is a process based solution that collects and analyzes data to a set of operational guidelines that determine if the control is in compliance. If not, then the risk of being out of compliance must be measured and quantified into a financial value. From a governance side of the term, internal audits (dashboards display this) evaluate as part of the checks and balance process.

If all this is engrained into the operational facets of the organization, then it provides the "C" level transparency needed for continued funding, the operational transparency for quick remediation and the functional usefulness of the day to day control of the business and IT operations.

My view of GRC is it is an acronym used to sell the service of providing a set of tools used to assist the function of the organization in meeting its objectives to grow and prosper in today’s market place.

To review this definition of what GRC really is simply read the British Standards Institutes BS25999 standard. This standard is at the forefront of the above organizations frameworks providing the guidance needed to enable organizations to become resilient through process management with continual improvement.

This was further emphasized during the recent Seminar on GRC hosted by NASDAQ in March 2008 (http://www.nasdaq.net/PublicPages/GRC%20Web%20Seminar%20-%20March%202008%20presentation.pdf ). One of the seminars speakers was Scott Mitchell, Chairman & CEO, OCEG who clarified the GRC term to the meaning stated above when he stated “GRC is the Backbone” of a harmonized approach to governance, risk and compliance through a foundation of People, Processes & Technology”.

I’m sorry but blatantly calling GRC dead just because a few vendors misused the term is a disservice to businesses. I have developed and deployed a model in a global logistics and transportation company utilizing these principles which reduced fiscal risk by 17%; drop the IT run rate by 50% and improved service delivery availability by 40% over the period of 14 months. All of which exceeded the requirements of the external auditors, which got them off the backs of those tasked with the day to day operations.

I am a believer in the true meaning of GRC… It is not dead, just beginning to be understood!

By Lurker on 07/30 at 03:26 AM

OK - I’‘ll be a little less glib and sarcastic this time. I have to agree with Dan Wilder on the subject of controls being more process oriented than software. In fact, a partner I worked for at PwC maintained that there is no such thing as computer controls. The control only happens when a PERSON views the edit list / exception report / error log and DOES SOMETHING ABOUT IT.

At the time we were looking at the internal audit reports of a bank which made a big deal about a case of beer being found in the data center but just glossed over a log showing a huge number of failed login attempts. In our minds, the auditor had his priorities reversed.

When looking at systems, I have seen software that produced a small book of system documentation that was basically ignored along with a one page overview flowchart created by a human to demonstrate a glaring weakness. Which would you read / act on?

By Martin Kuppinger on 07/31 at 12:34 AM

You’‘re right in the viewpoint of GRC as a one-way-road isn’‘t sufficient. GRC isn’‘t only about audit. If you focus on this part of GRC, then it is - to cite Paul Heiden of BHOLD Company - dealing with FUD (fear, uncertainty, doubt). Then it is about avoiding penalties, but it doesn’‘t deliver a real business value.
But GRC, from our perspective, is two-way - it is about business control in the full sense of the word, e.g. managing and auditing. The Enterprise Authorization Management part of GRC is about control. And Risk Management done right provides the ability for a more efficient management, by focusing on exceptions.
But when you limit GRC to some analysis and dashboard functionality, then it isn’‘t sufficient - fully agreed. GRC as the business layer above many core parts of IT like Identity and Access Management is definitely valuable.
I’‘ll add some thoughts to this in my blog http://blogs.kuppingercole.de/kuppinger today.

By GRC isn’t dead | Martin Kuppinger on 07/31 at 12:47 AM

[...] I’ve seen a blog entry which claimed that GRC is dead. That reminded me about the closing keynote of our European Identity [...]

By Sumner Blount on 08/01 at 07:58 AM

As an employee of a “GRC vendor”, I suggest that although there is some truth in your points, you may be throwing the baby out with the bathwater.

First, I agree that GRC has become an overused term, something that some vendors have attached to their positioning to be able to take advantage of the interest in this area. One of the problems, in my view, is that “G”, “R”, and “C” have been seemingly merged into a single concept as if they were interchangeable pieces of the puzzle. Anybody who is familiar with compliance and risk management is well aware that these concepts are different, though obviously related. They have different target buyers and different pain points. And, of course, Governance is a different type of concept itself. So, the continual and widespread use of GRC as a single concept is a somewhat unfortunate and possibly confusing artifact of the way that this market has emerged.

Still, what is new about this market area is the centralization and simplification of risk and compliance information and initiatives across the enterprise. When a variety of different tools are used, and when compliance and risk information is dispersed (and usually duplicated) around the organization, it’s obvious that redundancies, inefficiencies, and inconsistencies result. This is one of the more important problems that these “GRC tools” are intended to solve, and one that they generally do very well on.

And, I agree that GRC is not a paragidm shift. It’s what I would call the “next step” in managing risk and compliance initiatives, but we’re not talking about a revolutionery step for most organizations. It’s an effective way of harmonizing these efforts, and maximizing the use of people and processes. But, the fact that an occasional vendor pitches it as a paradigm shift shouldn’t detract from the important benefits that these products can provide.

I disagree with your notion that GRC is simply a way to sell to the C-level. C-level people, in my experience, don’t pick up a mouse when they want to find out what’s happening with compliance – they pick up the phone. But, the people who receive that call do need to have complete visibility into their risk and compliance activities, and that’s where a GRC Manager-type product can really help out.

I also was intrigued by your statement that: There is no one in an enterprise that will use a GRC tool on a day to day basis. So, I called up our Senior VP of IT Compliance who is leading a team that has deployed our GRC Manager product throughout the company. His experience was quite different. He has reduced the number of controls that had been implemented by roughly 50%, and his response was: “we’re in there every day – all day documenting controls, test work, remediation plans, as well as progress and time.” He concluded that either you weren’t familiar with the type of activities that a compliance executive was involved in, or you had unpleasant experience with a bad product.

In any event, I think we can agree that “GRC” can be an overused and misunderstood term. It’s not a paradigm shift. But, it IS a unifying and simplying principle that can have significant cost and automation benefits to any company that is facing complex compliance challenges.

By Jeremy Wilde on 09/25 at 02:57 AM

Unbelievable if I had’‘nt heard it all before.
The imposition of legal and regulatory obligations requiring adequate information security controls to protect personal data and against fraud is risk, a threat that information security does not generally seem to be able to answer and that is why ‘‘GRC’’ as you define it has happened - because someone had to answer it because it is a big and expensive threat!

By Allen Baranov on 09/25 at 06:58 PM

I got a negative finding from our auditors because the "password history" setting was documented differently in our standards. I then spent hours going through the documentation looking for this setting in all the standards, altering it and now I have made a new standard (a daddy standard) that says that if you set "password history" to anything it must be "x".

I then had to rush around getting all of the standards signed.

I then had to sit with the auditors explaining the new standards and justifying the changes.

If you know what the "password history" setting is then you’‘ll know that it is really there just to stop users from changing their passwords a number of times until the old password is usable again. It is a very arbitrary setting.

In the mean time I could have been working on something important.

By Jeremy Wilde on 09/27 at 05:21 AM

Allen, I had to laugh at that one - it sounds like sox but you know you got to take the rough with the smooth…